[Oisf-users] alert timestamp

박경호 pgh5247 at naver.com
Wed Jul 5 08:38:05 UTC 2017


Hello all,
 
Until now,
i know to the timestamp in alert log(fast.log or eve.json) is same to the packet timestamp.
But both timestamps are different.
To be precise, both timestamps are same in some alert message and are different in some alert message.
in my test, they were same in alert message "ET POLICY Dropbox Client Broadcasting..." 
                they were different in "ET POLICY PE EXE or DLL Windows file download HTTP..."
 
Doesn't mean the timestamp in the packet for the timestamp in alert log file ?
 
If you want to pcap file to test, you can download the pcap file.(https://drive.google.com/open?id=0B4Mdb8bpuRlnU0pkZ002WWVFdFk​)
 
please explain to me..
 
thanks in advance.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170705/6af0b1ed/attachment.html>


More information about the Oisf-users mailing list